Bug 520480 (CVE-2014-5461)

Summary:	<dev-lang/lua-{5.1.5-r200,5.2.3}: overflow flaw in vararg functions
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	lori, mabi, rafaelmartins, robbat2, sam, williamh
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1132304
Whiteboard:	B2 [glsa+ cve]
Package list:	=dev-lang/lua-5.1.5-r4	Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2014-08-22 08:53:36 UTC

From ${URL} :

An overflow flaw was fixed in Lua 5.2.2:

http://www.lua.org/bugs.html#5.2.2-1

This could cause the application to crash or, potentially, execute arbitrary code. One way an attacker could trigger this issue is if 
they can control parameters to a loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).
Although Fedora 20 has 5.2.2, the issue is not resolved there.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Yury German Gentoo Infrastructure

2014-09-09 19:15:35 UTC

Original request if ready for stabilization on 8/22. 5.23 is in tree but masked. Please advise what is the status for stabilization, even if the status is not ready, and the reasons (or bugs) that are blocking this.

Comment 2 Yury German Gentoo Infrastructure

2014-10-05 13:04:44 UTC

Ping on question on stabilization, please advise. Otherwise will call for stabilization on around October 11, 2014.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-24 23:49:48 UTC

http://www.lua.org/bugs.html#5.2.2-1:

reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.

CC'ing new maintainer.


@ Maintainer(s): The call for stabilization timed out 2y ago... due to changed maintainer, please advise us how to proceed. >=dev-lang/lua-5.2.3 has to go stable and previous versions needs to get cleaned up.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-28 18:44:59 UTC

Note: I ping'ed William via IRC. He needs to talk to Rafael first. If we don't get an update from maintainers until 2016-12-30 security will consider next steps.

Comment 5 Rafael Martins (RETIRED) gentoo-dev

2016-11-28 19:14:47 UTC

Should be fixed in -r4

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-28 19:19:53 UTC

OK, maintainer decided to patch existing 5.1.5 version (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=856bde253c4184b33adc1f0267e80464d564763b), thanks!


@ Arches,

please test and mark stable: =dev-lang/lua/lua-5.1.5-r4

Comment 7 Agostino Sarubbo gentoo-dev

2016-11-29 10:41:17 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2016-11-29 10:43:40 UTC

x86 stable

Comment 9 Markus Meier gentoo-dev

2016-11-30 19:31:21 UTC

arm stable

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2016-12-02 14:21:34 UTC

Stable on alpha.

Comment 11 Agostino Sarubbo gentoo-dev

2017-01-11 10:37:08 UTC

sparc stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-14 12:36:16 UTC

Stable for HPPA.

Comment 13 Agostino Sarubbo gentoo-dev

2017-01-15 15:51:02 UTC

ppc stable

Comment 14 Agostino Sarubbo gentoo-dev

2017-01-17 14:25:26 UTC

ia64 stable

Comment 15 Agostino Sarubbo gentoo-dev

2017-01-18 10:03:30 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2017-01-19 10:49:21 UTC

GLSA request filed.

Another LWN article... "Gentoo patches ancient bug."

Comment 17 Aaron Bauman (RETIRED) gentoo-dev

2017-01-23 03:32:23 UTC

This issue was resolved and addressed in
 GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53
by GLSA coordinator Aaron Bauman (b-man).

@maintainer(s), please cleanup.

Comment 18 Rafael Martins (RETIRED) gentoo-dev

2017-01-23 03:40:08 UTC

(In reply to Aaron Bauman from comment #17)
> This issue was resolved and addressed in
>  GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53
> by GLSA coordinator Aaron Bauman (b-man).
> 
> @maintainer(s), please cleanup.

cleaned up. thanks

Comment 19 Gleb 2017-01-23 06:00:32 UTC

I can see that there's no stable dev-lang/lua for amd64 and x84 arches in the tree, what's wrong?

Comment 20 Rafael Martins (RETIRED) gentoo-dev

2017-01-23 09:57:21 UTC

(In reply to Gleb from comment #19)
> I can see that there's no stable dev-lang/lua for amd64 and x84 arches in
> the tree, what's wrong?

yes, for some reason those keywords disappeared from -r4 before I cleaned up the old ebuilds, and repoman failed to warn me. mgorny fixed it while I was away.

thanks

Comment 21 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-23 11:35:17 UTC

*** Bug 606902 has been marked as a duplicate of this bug. ***

Comment 22 Account Removed 2021-11-29 11:01:35 UTC

The patch for this CVE was deleted together with 5.1.5-r4 in commit 94dbb827593747a05def4ea999d8d153e166795e. Moreover, it was never applied to more recent revisions. In my opinion, it should be re-activated for 5.1.5-r106 and kept for future revisions.

Comment 23 NATTkA bot gentoo-dev

2021-11-29 16:37:02 UTC

Unable to check for sanity:

> no match for package: =dev-lang/lua-5.1.5-r4

Comment 24 Larry the Git Cow gentoo-dev

2022-10-13 13:20:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1f784b5c91f2e0be1aa06b155cff958ba22a0

commit 1bc1f784b5c91f2e0be1aa06b155cff958ba22a0
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2022-10-13 13:19:37 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2022-10-13 13:19:37 +0000

    dev-lang/lua: drop 5.1.5-r109, 5.3.6-r5, 5.4.4-r2
    
    Bug: https://bugs.gentoo.org/520480
    Bug: https://bugs.gentoo.org/717780
    Closes: https://bugs.gentoo.org/460114
    Closes: https://bugs.gentoo.org/462064
    Closes: https://bugs.gentoo.org/539826
    Closes: https://bugs.gentoo.org/627330
    Closes: https://bugs.gentoo.org/689598
    Closes: https://bugs.gentoo.org/706378
    Closes: https://bugs.gentoo.org/791772
    Closes: https://bugs.gentoo.org/834153
    Closes: https://bugs.gentoo.org/834911
    Closes: https://bugs.gentoo.org/843320
    Signed-off-by: David Seifert <soap@gentoo.org>

 dev-lang/lua/Manifest                         |   5 -
 dev-lang/lua/files/configure.in               |   5 -
 dev-lang/lua/files/lua-5.1-module_paths.patch |  30 -----
 dev-lang/lua/files/lua-5.1-readline.patch     |  10 --
 dev-lang/lua/files/lua-5.1.4-deprecated.patch |  46 -------
 dev-lang/lua/files/lua-5.1.5-make.patch       |  97 -------------
 dev-lang/lua/files/lua-5.3.6-make.patch       |  91 -------------
 dev-lang/lua/files/lua-5.4.2-r2-make.patch    |  99 --------------
 dev-lang/lua/files/lua.pc                     |  31 -----
 dev-lang/lua/lua-5.1.5-r109.ebuild            | 145 --------------------
 dev-lang/lua/lua-5.3.6-r5.ebuild              | 187 --------------------------
 dev-lang/lua/lua-5.4.4-r2.ebuild              | 184 -------------------------
 dev-lang/lua/metadata.xml                     |  23 ++--
 13 files changed, 11 insertions(+), 942 deletions(-)

Comment 25 John Helmert III archtester

2022-10-14 02:57:24 UTC

Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200.

Comment 26 John Helmert III archtester

2022-10-14 03:02:28 UTC

GLSA request filed

Comment 27 David Seifert gentoo-dev

2022-10-14 09:39:50 UTC

(In reply to John Helmert III from comment #25)
> Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200.

Yup, that was my mistake.

Comment 28 John Helmert III archtester

2022-10-14 16:37:02 UTC

(In reply to David Seifert from comment #27)
> (In reply to John Helmert III from comment #25)
> > Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200.
> 
> Yup, that was my mistake.

No worries! Just noting that's why I'm waffling with summary

Comment 29 Larry the Git Cow gentoo-dev

2023-05-03 10:33:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9481b5e54d9a028a3f651d96ca46efd05ac1b3a6

commit 9481b5e54d9a028a3f651d96ca46efd05ac1b3a6
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 10:32:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 10:33:45 +0000

    [ GLSA 202305-23 ] Lua: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/520480
    Bug: https://bugs.gentoo.org/831053
    Bug: https://bugs.gentoo.org/837521
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-23.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)